O le pou o loʻo faʻamatalaina laasaga e faʻaautomatika ai le puleaina o tusi faamaonia SSL mai faʻaaogaina и AWS.
o se meafaigaluega e mafai ai ona tatou faʻatinoina lenei vaega. E mafai ona galue faʻatasi ma tusi faamaonia SSL mai Let's Encrypt, faʻasaoina i latou i le Amazon Certificate Manager, faʻaaoga le Route53 API e faʻatino ai le luʻitau DNS-01, ma, mulimuli ane, tulei faʻamatalaga i SNS. IN acme-dns-auala53 O loʻo iai foʻi galuega faʻaoga mo le faʻaaogaina i totonu o le AWS Lambda, ma o le mea lea matou te manaʻomia.
Ua vaevaeina lenei tusiga i vaega e 4:
- fatuina o se faila zip;
- faia o se matafaioi IAM;
- fatuina o se galuega lambda e tamoʻe acme-dns-auala53;
- fatuina o se taimi CloudWatch e fa'aosoina ai se galuega 2 taimi i le aso;
Manatua: Ae e te leʻi amataina e tatau ona e faʻapipiʻi и
Fausia se faila zip
acme-dns-route53 o loʻo tusia i GoLang ma lagolagoina le faʻasologa e le maualalo ifo i le 1.9.
Matou te manaʻomia le fatuina o se faila zip ma se binary acme-dns-route53 totonu. Ina ia faia lenei mea e tatau ona e faʻapipiʻi acme-dns-route53 mai GitHub faleoloa faʻaaoga le poloaiga go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Ua fa'apipi'i le binary i totonu $GOPATH/bin fa'atonuga. Faamolemole ia matau i le taimi o le faʻapipiʻiina na matou faʻamaonia ni suiga se lua: GOOS=linux и GOARCH=amd64. Latou te faʻamalamalama manino i le Go compiler e manaʻomia le fatuina o se binary talafeagai mo le Linux OS ma le amd64 architecture - o le mea lea e alu i luga o le AWS.
O loʻo faʻamoemoeina e le AWS la tatou polokalame e faʻapipiʻi i se faila zip, o lea tatou fatuina acme-dns-route53.zip archive lea o le a aofia ai le binary fou faʻapipiʻi:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Manatua: O le binary e tatau ona i totonu o le aʻa o le zip archive. Mo lenei mea matou te faʻaaogaina -j fu'a.
O lea la ua sauni le matou igoa fa'ailoga zip mo le fa'atinoina, pau lava le mea e totoe o le faia lea o se matafaioi ma aia tatau.
Fausia se matafaioi IAM
Matou te manaʻomia le faʻatulagaina o se matafaioi IAM ma aia tatau e manaʻomia e le matou lambda i le taimi o lona faʻatinoga.
Se'i ta'ua lea faiga faavae lambda-acme-dns-route53-executor ma tuu atu loa ia te ia se matafaioi faavae AWSLambdaBasicExecutionRole. Ole mea lea ole a fa'ataga ai a tatou lambda e tamo'e ma tusi ogalaau ile auaunaga AWS CloudWatch.
Muamua, matou te fatuina se faila JSON e faʻamatalaina a matou aia tatau. Ole mea lea ole a fa'ataga ai lambda auaunaga e fa'aoga le matafaioi lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonO mea o loʻo i totonu o la matou faila e faʻapea:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Sei o tatou tamo'e le poloaiga aws iam create-role faia se matafaioi:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonManatua: manatua le faiga faʻavae ARN (Amazon Resource Name) - matou te manaʻomia i isi laasaga.
Matafaioi lambda-acme-dns-route53-executor faia, o lea e tatau ona tatou faʻamaonia faʻatagaga mo ia. O le auala pito sili ona faigofie e fai ai lenei mea o le faʻaaogaina lea o le poloaiga aws iam attach-role-policy, pasia tulafono ARN AWSLambdaBasicExecutionRole e pei ona taʻua i lalo:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleManatua: e mafai ona maua se lisi ma isi faiga fa'avae .
Fausia se galuega lambda e tamoʻe acme-dns-auala53
Talofa! O lea e mafai ona e faʻaogaina la matou galuega i le AWS e faʻaaoga ai le poloaiga aws lambda create-function. O le lambda e tatau ona faʻatulagaina e faʻaaoga ai suiga ole siosiomaga nei:
AWS_LAMBDA- fa'amalamalama manino acme-dns-auala53 o lena faʻasalaga e tupu i totonu o le AWS Lambda.DOMAINS— o se lisi o vaega e tuueseeseina i koma.LETSENCRYPT_EMAIL- aofia ai .NOTIFICATION_TOPIC— igoa ole SNS Notification Autu (filifiliga).STAGING- i le tau1fa'aogaina le siosiomaga fa'atulagaina.1024MB - tapulaa manatua, e mafai ona suia.900secs (15 min) — taimi malolo.acme-dns-route53— le igoa o le tatou binary, lea o loo i le archive.fileb://~/acme-dns-route53.zip— le ala i le archive na matou fatuina.
Se'i tatou fa'apipi'i nei:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Fausia se taimi CloudWatch e fa'aosoina ai se galuega fa'alua i le aso
O le laasaga mulimuli o le setiina o le cron, lea e taʻua ai la tatou galuega faʻalua i le aso:
- faia se tulafono CloudWatch ma le tau
schedule_expression. - fatuina se faʻatonuga tulafono (mea e tatau ona faʻatinoina) e ala i le faʻamaonia o le ARN o le galuega lambda.
- tuu atu le faatagaga i le tulafono e valaau ai le galuega lambda.
I lalo ua ou faʻapipiʻiina laʻu Terraform config, ae o le mea moni e faia lenei mea i le faʻaaogaina o le AWS console poʻo le AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Ole taimi nei ua fa'atulagaina oe e otometi ona fatuina ma fa'afou tusi faamaonia SSL
puna: www.habr.com